Thoughts on IPv6, was: Re: Help Broadcasting a UDP packet on the
LAN:URGENT
Charles Swiger
cswiger at mac.com
Thu Oct 23 14:25:57 PDT 2003
On Thursday, October 23, 2003, at 03:43 PM, Barney Wolff wrote:
> My expectation is the same as yours, but I strongly believe that
> anyone doing a new design that deliberately ignores IPv6 is being very
> shortsighted. "Quite some time" is now only years, not decades.
It might be useful to consider another perspective on IPv6:
Begin forwarded message:
> From: "Marcus J. Ranum" <mjr at ranum.com>
> Date: Wed Jul 30, 2003 10:26:00 AM America/New_York
> To: Jonn Martell <jonn.martell at ubc.ca>
> Cc: firewall-wizards at honor.icsalabs.com
> Subject: Re: [fw-wiz] Off topic: Any one know of a good IPV6 reference
> book?
>
> I'm going to try to wrench this topic back to security, after
> having taken a heavy-handed swat at the standards geeks. ;)
>
> Jonn Martell wrote:
>> Doesn't V6 allow for end-to-end encryption and authentication?
>
> Well, if that's what you want, why not use the (various) IPV4
> ESP and AH implementations? Or SSH/SSL?
>
> From a meta-level, before you throw encryption into a security
> solution, ask yourself "what am I trying to accomplish?" I happen
> to believe that adding crypto into your network layer is pointless.
> Basically, all it gives you is node-to-node trust. Node-to-node
> trust is not exactly great, viz: .rhosts, NFS - they don't work
> very well in environments where an untrusted user can gain
> even a small toe-hold. People are just now *starting* to realize
> that VPNs have a transitive trust problem. Node-to-node does
> not address transitive trust effectively. IMO. If crypto is the answer,
> what is the question?
>
> But if crypto is what you need, you can field it virtually instantly
> using app-space crypto. Switching your whole network architecture
> over just to get the same benefits you can get with SSH/SSL
> seems like a lot of work to go through to avoid having to install
> a single app on your client or server.
>
>> That would solve a lot of issues for secure networks.
>
> I really believe that IP crypto does not actually solve any
> significant security problem in a compelling or useful manner.
>
>> And with the cap off addresses, it should make thing very
>> interesting.
>
> If by "interesting" you mean "unmanageable" I've got to agree. :)
>
> What frustrates me about the whole IPV6 thing is that the nominal
> reason for it was because of the address space issues. But there
> were so many simpler options available that nobody wanted to
> take because, frankly, everyone wanted to be part of the fun of
> making up the next big standard. Which was *exactly* the
> mindset that made the ISO protocols a slowly-developing
> trainwreck. Suggestions for simpler (and equally effective)
> approaches were shot down because implementing them would
> have been less *fun*. My favorite was my buddy Andrew's
> idea: quadruple the address space size, left-fill with zeroes,
> bump the version number, and use GPS coordinates on the
> left side of the address so that each individual square foot
> of the planet had its own class C network. Of course you'd
> need to re-do the routing infrastructure but you'll have to do
> that with V6 anyhow... Or just double the address space,
> bump the version, and left-fill with CIDR-style addresses
> and let Moore's law take care of the backbone router
> capacity issues. ..
>
> Anyhow, there were approaches to the address space
> problem that were never investigated by the standards
> priesthood because, well, they didn't give people a chance
> to write gnarly code and re-design packet headers. Remember,
> these standards guys are the same guys who called
> SNMP "Simple..." their idea of a good time does not
> produce efficient, effective real-world solutions.
>
>> It will change the Internet so that unauthenticated traffic will get
>> a different class of service.
>
> No, it won't. Why? Because if that was going to happen, it would have
> happened already. The technical underpinnings to do that already
> exist; yet nobody is doing it. Most of the traffic on the Internet is
> unauthenticated!! The trust model won't be much better than if you
> just went into a load balancer and prioritized SSL, SSH, and known
> IP addresses as higher priority than anything else. We can do that
> today, but we don't - because it wouldn't make much difference and
> it's a pain to manage.
>
>> NAT was a hack and although it works fine for small environments it
>> falls apart for large user networks. The lack of auditing is pure
>> nightmare for tracking down abuse from the inside in a large network.
>
> NAT is an appalling hack. NAT is an abomination. But I won't
> apolgize for it. When I first started building firewalls, I NATed
> networks not in order to save IP addresses, but because most
> companies had existing networks with existing address ranges
> and didn't want to re-address their whole infrastructure just to
> get on the Internet. Does that sound familiar? My guess is that
> the same logic will keep a lot of organizations from re-addressing
> just to get the intangible benefits of IPV6. It wasn't until the mid
> 1990's that IP addresses became a commodity and ISPs started
> shoving NAT down their customers' throats. But now everyone
> already has networks. Unless someone can show that IPV6
> is going to solve some problem that is SO VALUABLE it
> justifies rebuilding networks. NAT + inertia is gonna kill IPV6...
>
>> I applaud the DOD efforts, they created the Internet and I have no
>> doubt that mandating V6 will tip the scales for adoption. They did
>> this in early 80 with IP, they'll do it again.
>
> It depends on the degree of the mandate. You may call my cynical
> but I lived through "C2 by '92" and I don't believe that mandates mean
> anything unless they are enforced and enforceable.
>
>> PS This is the first time that I find myself disagreeing with
>> Marcus...
>
> You're in good company, if you do!!! :) Most of the smartest
> people I know disagree with me about something or other!! :)
> It's a badge of distinction! :)
>
> mjr.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards at honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
More information about the freebsd-net
mailing list